CVE-2025-27089

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to field_a if the id == 1 and one policy allowing update access to field_b if the id == 2. The user with both these policies is allowed to update both field_a and field_b for the items with ids 1 and 2. Before v11, if a user was allowed to update an item they were allowed to update the fields that the single permission, that applied to that item, listed. With overlapping permissions this isn't as clear cut anymore and the union of fields might not be the fields the user is allowed to update for that specific item. The solution that this PR introduces is to evaluate